Skip to content

Add polling config and restart orchestration for OBA#307

Closed
sehkone wants to merge 3 commits into
mainfrom
sehkone/issue-301
Closed

Add polling config and restart orchestration for OBA#307
sehkone wants to merge 3 commits into
mainfrom
sehkone/issue-301

Conversation

@sehkone
Copy link
Copy Markdown
Contributor

@sehkone sehkone commented Feb 22, 2026

Summary

  • Add template_config { static_secret_render_interval = "5m" } to OpenBao Agent HCL so KV v2 static secrets are re-polled periodically
  • Change rotation orchestration to: write KV → restart OBA container → poll rendered file → restart dependent service
  • Remove dead helpers (write_ca_json_dsn, build_responder_config, update_responder_hmac) since OBA now handles file rendering
  • Add error_rendered_file_timeout i18n message (EN/KO)

Test plan

  • Unit tests for wait_for_rendered_file (immediate success + timeout)
  • Unit test for template_config block in HCL output
  • Integration test: OBA restart ordering before compose restart (stepca-password)
  • Integration test: OBA restart ordering before HUP reload (responder-hmac)
  • Integration test: AppRole auth + fake docker render simulation
  • E2E test: full rotation sequence with fake docker
  • Docker E2E: ./tests/docker/run-e2e.sh main-lifecycle
  • Docker E2E: ./tests/docker/run-e2e.sh rotation-recovery

Closes #301

@sehkone
Add polling config and restart orchestration for OBA
b6fb436 
OpenBao Agent only renders KV v2 templates once at startup unless
template_config.static_secret_render_interval is set. Add the block
with a 5-minute interval so agents re-check KV for changes.

Rotation now follows write-KV → restart-OBA → poll-rendered-file →
restart-service, ensuring secrets are rendered before the dependent
service restarts. Dead helpers (write_ca_json_dsn, build_responder_config,
update_responder_hmac) removed since OBA handles file rendering.

Closes #301
@sehkone
Fix OBA restart auth and responder file mount
c46c3af 
Prevent secret_id file deletion after first read by setting
remove_secret_id_file_after_reading = false in the auto_auth config.
Without this, OBA cannot re-authenticate after a container restart
because the secret_id file no longer exists.

Mount the responder config directory instead of the file in the
Docker compose override. When OBA atomically renders templates
(write temp + rename), the file gets a new inode. Docker file bind
mounts track inodes, so the container keeps seeing stale content.
Directory mounts avoid this problem.

Refs #301
@sehkone
Reduce OBA static secret render interval to 30s
e1e714b 
With a 5-minute static_secret_render_interval, OpenBao Agent defers
re-rendering by up to 5 minutes after container restart. This causes
the 60-second wait_for_rendered_file timeout to expire in CI before
the template is updated with the new secret value.

Reducing to 30s ensures OBA re-renders within the polling window.
Also add OBA agent log capture to E2E failure artifacts for easier
diagnosis of future failures.

Refs #301
@sehkone
Copy link
Copy Markdown
Contributor Author

sehkone commented Feb 22, 2026

Superseded by combined PR

@sehkone sehkone closed this Feb 22, 2026
@sehkone sehkone deleted the sehkone/issue-301 branch April 13, 2026 12:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add polling config and restart orchestration for step-ca/responder OpenBao Agent

1 participant

@sehkone